Sponsored by..

Monday, 20 March 2017

It's been a long time since I've seen a pump-and-dump spam run illegally pushing a stock as hard as this:

From:To:Date: 20 March 2017 at 09:30Subject: This stock is about to receive a buy out at 10 times its current market price...

Dear Subscriber,

It's been a long time since I sent you my special newsletter containing a hot stock tip.
The reason for that is because I really haven't had many opportunities to present to you.

Incapta Inc (ticker: INCT) is a company that was brought to my attention earlier this morning
by one of my colleagues at an M&A firm in manhattan.

It seems that a buy out from DJI is imminent at $1.37 per share and is set to be announced
next week on Tuesday, March 28.

INCT is a company that has revolutionized the drone industry by creating the first independent drones
that can be dispatched to areas of interest such as crime scenes, car chases, wild fires, etc.

The network of drones operates by connecting to a cloud and complex algorithms efficiently dispatch the drones
within moments of an incident being reported.

This way the media outlet that owns the drones can be the first to the scene and get exclusive, live-streamed.

This has the potential to literally change the world of news broadcasting as we know it and DJI
(the most prominent drone-maker in the world) sees the potential of this technology which is why
they are willing to pay $1.37 a share to acquire it. A premium of over 1,000% over Friday's closing price.

Tell all your friends about INCT and make sure you buy it as soon as possible today at any price under
20 cents a share to guarantee yourself massive profits.

This company has millions of dollars worth of expenditure and almost zero income [source].

Towards the end of 2015, the stock was valued at $31,350 a share (!) but is now worth about 13 cents [source].

The spam is being sent from a botnet to random addresses. I have no evidence to suggest that Incapta Inc is behind this, but this commentary at InvestorsHub is not flattering.

Pump and dump spam like this is a criminal activity, and typically companies being promoted in this way are in terminal decline (but not always). Avoid buying stocks on the recommendation of criminals.

From:To:Date: 20 March 2017 at 17:11Subject: You can make 10x on your money by next week if you buy this stock now.

Dear Subscriber,

Do you remember the last time I sent you a tip about a company worth buying in the market?

I was right on point as its shares shot up more than tenfold in under 7 days.
I had privileged information and I knew that something big was brewing.

It took me months to find the next stock that is somewhat similar to that last one I told you about,
but you can be certain that the upside potential is just as good.

Incapta Incorporated [symbol: INCT] is a company that is on the verge of being acquired by a large drone-maker competitor.

On March 28th (yes, next week) there is going to be something special announced that will take the share price from under 0.20 to over a dollar, overnight.

INCT specializes in the manufacturing of high-end specialized drones with real-world applications such as automated dispatching for news coverage by companies like CNN all the way to miniature drones which can be used to gather intelligence for the military, private investigators and police.

This cutting edge technology is changing the world as we know it, and INCT is at the forefront of it all which is why it’s being acquired and its share price is about to go ballistic.

Tell everyone you know to buy INCT right now and keep it on the low as much as possible.

UPDATE 2

Third version..

From:To:Date: 21 March 2017 at 07:17Subject: Find out now why this company is going up tenfold by this time next week.

Dear profit seeker,

It’s been quite some time since I sent you information about a stock worth buying, but the last time I did the shares soared more than 15x.

This means that if you had put in just a grand you would have gotten 15k out of it when all is said and done.

Even if you only get 2 or 3 tips from me per year, all of them are guaranteed winners because I base my recommendations on knowing privileged information.

I don’t want you to miss out again so keep on reading to find out which company is going up 1,000% by this time next Tuesday.

Incapta Inc [tickersymbol: INCT] is about to be entirely acquired by an enormous multibillion dollar corporation.

On the 28 of March you can expect to see a public announcement made which will outline the details of this acquisition with the most important detail being the price at somewhere around $1.40

This means if you buy and hold INCT right now you’ll have a guaranteed profit of a thousand percent.

INCT is a company which has built “cloud droning”. That’s basically the ability for drones to have their own mind as they connect to a network of artificial intelligence and work with each other autonomously.

It is for example possible to set up a feature to dispatch them whenever there is a car accident somewhere in order to be the first on the scene. There are also endless military applications for these drones as the company has been in talks with the US Army for months already.

Please keep this information to yourself, don’t tell your friends or family to buy the stock now. This is exclusive to my subscribers only.

Cheers.

UPDATE 3

Another variant. Incidentally, this appears to originate from the Necurs Botnet which has also pushed Locky and Dridex in the past.

From:To:Date: 21 March 2017 at 14:06Subject: Here is your chance to buy shares that will go up 10x by next week.

To all my subscribers,

As you obviously know, I have been quiet these last couple of months because I really have not had a stock worth recommending for purchase.

After the last stock’s 1,500% gains I really want to make sure that whatever I tell you to buy next will be a big winner since your expectations are high.

Today I want you to keep an eye on INCT (incapta inc) because something really huge is about to happen next week.

One of the gents I work with back in New York told me that INCT is on the verge of signing a deal to sell the company to a large multinational and this deal should be announced on Tuesday or Wednesday of next week and will carry a price per share of $1.38

I guess their special drone technology is too good to ignore, and a massive player wants to acquire all their know-how, IP and manufacturing capabilities.

That being said, this is a very rare opportunity to get in before the deal is officially announced and make a quick 10x on your principal in just 7 days.

Keep this on the low but do act quickly if you want to buy in. I recommend an entry point of 17 cents or under to maximize the upside.

All the best.

UPDATE 4

Another variant. The last time I looked, this spam run had persuaded people to buy more than six million shares in this company, which in my personal opinion appear to be worthless. There are only around 100 million shares, so this seems like a fair chunk.

From:To:Date: 22 March 2017 at 08:08Subject: This public company is being bought out. Read now to profit from it.

Dear valued member,

It has been a very long time since I emailed you about a rare investment opportunity.

You signed up to my newsletter because you were seeking to only invest in companies which I can guarantee will go up and I only email you when I know one will.

The last stock I told you to buy went up about 1000% and this next one is guaranteed a solid 1300% keep on reading to find out why.

INCT (incapta inc) is a drone-maker with proprietary algorithms which essentially bring drones to life. These algorithms give the drones the capability to act independent of a physical operator.

Because of they own this amazing technology which they developed in house, they have been receiving huge attention from the US Army as well as several private firms including DJI and Amazon.

A guy I work with at a mergers and acquisition firm in New York told me that INCT is about to be bought out for $1.37 per share on Tuesday or Wednesday of next week. He has always come through for me.

While INCT may currently seem stagnant, that’s because very few people know about this imminent deal so don't let that fool you.

I don't expect the stock price to swing much in either direction until the takeover is announced next week, at which point it will shoot up to around $1.37 overnight.

You know what to do if you want to profit when this happens.

Keep it on the hush, but do act quickly.

Best Regards,
Viola Haney

UPDATE 5

Another variant. So far over 12 million shares have been traded although the stock price has slumped 47% since yesterday. This is over 10% of the company that has been traded, bringing in around $140,000 for whoever holds them (and in my opinion the shares are worth nothing at all).

From: To:Date: 22 March 2017 at 16:00Subject: Read Now: Why this company’s shares are guaranteed to soar next week.

Howdy,

We haven't communicated in a while and you might be wondering why I'm emailing you now out of the blue but it's because I have something very special to share with you.

Remember this last company I told you to buy a few months ago? It jumped around 1000% in like two weeks if you recall.

I've got another one of those to share with you today and you could make some serious profits with it if you buy it now.

INCT (incapta inc) is a high technology company that's got some very special and unique drone systems. In fact, their stuff in so interesting that even the United States government has taken notice of it.
Anyway I won't bore you with the details, so the reason why I am telling you about INCT is because a buy out is imminent.
A gentleman I've known for almost a decade now who works out of an m&a company in manhattan told me that on March 28 INCT will be bought out by a large corporation at a price of $1.38 a share.

The stock is down today (these things happen), but it's absolutely meaningless and shouldn't scare you in any way, shape or form because once the buy out is announced, this stock is going to shoot up to 1.38 in a matter of minutes which is essentially guaranteed gains of about 1400% from current prices.

The stock is down because some investors are selling. It must be that they haven't heard the news, and they will be feeling very stupid next week when the announcement is made public.

Keep this on the low and feel free to buy as many shares as you possibly can right now.

Take care,
Vivian Rogers

UPDATE 6

12.7 million shares have now been traded, out of 100 million shares in total. Who actually holds this much stock in Incapta, Inc? According to SEC filings.. one person. Amusingly, the spammers forgot to mention the actual stock they were pushing..

From:To:Date: 23 March 2017 at 08:07Subject: I've got strong reasons to believe that this stock is about to soar.

Alright, let's get right to it...

We've been out of touch for a while. I've been very busy looking for the next big stock that has the potential to explode and it took me months to find one.

If I can be honest, this one came to me as a god send. I got lucky. I have this friend who works at a law firm in NYC and we've known each other for a very long time.

Long story short, he told me that his firm is about to finalize a big takeover by a multibillion corporation. They're buying this tiny company that is now trading at just around 10 cents a share.

I couldn't believe my ears when I heard him say that they're paying somewhere between $1.30 and $1.39 for the company. The deal is closing and being announced mid next week.

I could get into what the company does, but who really cares right? All we need to know is that they are in the high tech industry and that this is going to be a huge buyout.

I recommend you buy shares as soon as possible today and wait it out until you get paid over $1.30 next week. The way takeovers work is that they will just credit this price per share, in cash, to your brokerage account and in exchange will take the shares that you bought at just pennies.

I may never have another tip like this, so cash in on it while you still can.

UPDATE 7

Another version pushing this (in my personal opinion) worthless stock. So far about 15 million of the apparently 100 million shares in this company have been traded, bringing SOMEBODY in more that $1.5m in cash. The profit they are getting depends on how much they paid of course.

From:To:Date: 24 March 2017 at 06:53Subject: Allow me to share something profitable with you today.

If you're wondering why I'm emailing you now, out of the blue, after months of radio silence let me tell you that I have a good reason for that.

Do you remember the last time I sent you a tip? It was around November if I recall correctly.

If you bought that stock I told you about back then, you would've quadrupled your money at the very least.

Now here we are, a few months later and I've got something else to tell you about.

Basically if you remember, I've got a good acquaintance who works at a law firm in New York and when I took him out to a fancy steak dinner last Monday (with lots of wine) he became very talkative and let me in on a little tip.

This is what I want to share with you today. He essentially told me that some time mid next week, a small company called incapta (ticker: INCT) is going to announce that it's being acquired by a giant for a little over 1.30 a share (yes over a dollar thirty, and yes it's at just under 15 cents now)

He knows this because his law firm is the one that drafted all the paperwork for the deal and they are expected to finalize and sign the agreements today, with the official announcement coming some time between Tuesday and Thursday.

If you buy shares today, you are guaranteed to make approximately tenfold next week. The way it works is if you're holding the shares they will just take them out of your account automatically and credit you with the cash equivalent to 1.37 or so which you can take out whenever you want and spend on nice things.

Keep me in mind when you're rolling in it. I expect a big thank you and maybe a small gift!

UPDATE 8

InCapta's CEO, John Fleming, issued a statement denying that the firm had anything to do with this "newsletter" (actually a massive, illegal spam run)

SAN DIEGO, CA / ACCESSWIRE / March 23, 2017 / InCapta,
Inc. (OTC PINK: INCT) announced today that it has been made aware of
and requested by the OTC Markets Group, Inc. to comment on recent
trading and promotional activity concerning INCT common stock.

On
March 22, 2017, OTC Markets informed the Company that it became aware
of certain promotional activities concerning InCapta and its common
stock. OTC Markets informed the company that it had received copies of
promotional newsletter emails encouraging investors to purchase the
Company's common stock. The Company has been informed that this
promotional activity coincided with higher than average trading volume
in the Company's stock. The Company was unaware of the promotional
activity until informed by OTC Markets and is unaware of the full nature
and content of this promotional activity, the responsible parties, and
the extent of the email newsletters' dissemination.

InCapta
states definitively that the Company, its officers, directors and, to
the Company's knowledge, its controlling shareholders (i.e.,
shareholders owning 10% or more of the Company's securities) have not,
directly or indirectly, authorized or been involved in any way
(including payment to a third-party) with the creation or distribution
of promotional materials including these email newsletters; and that the
Company, its officers, directors and, to the knowledge of the Company,
any controlling shareholders, have not sold or purchased the Company's
securities within the past 30 days other than as specified below.

"The
Company is not aware of the promotional materials' author or its
affiliated entities or persons. The Company's recent press releases have
reported on and provided disclosure of legitimate and ongoing corporate
activity only, and are not part of any promotional activities or
campaign," stated John Fleming, CEO of InCapta. The Company encourages
those interested in the Company to rely solely on information included
in its press releases combined with its filings and disclosures made
with OTCMarkets Group. The Caveat Emptor warning is mandated for 30
days, wherein a review by OTCMarkets shall take place to decide on its
removal. The Company is determined to take appropriate measures in this
time to satisfy, without delay, any and all concerns which brought on
the label. We thank OTCMarkets for their openness and consideration to
the investors of InCapta.

About InCapta, Inc.

InCapta,
Inc., formerly known as TBC Global News Network, Inc., is a media
holding company, which works with clients to develop, operate, and
market online cloud Television networks and other entertainment
projects. The Company participates in various fields of online business
models by providing executive level managerial assistance as well as
arranging for clients online presence through social media.

This is an automated message send by Royal
Bank Secure Messaging Server. To ensure both you and the RBC Royal Bank
comply with current legislation, this message has been encrypted. Please
check attached documents for more information.

Note: You should not store confidential information unless it is encrypted.

CONFIDENTIALITY NOTICE:The contents of this
email message and any attachments are intended solely for the
addressee(s)and may contain confidential and/or privileged information
and may be legally protected from disclosure. If you are not the
recipient of this message or their agent, or if this message has been
addressed to you in error, please immediately alert the sender by reply
email and then delete this message and any attachments. If you are not
the recipient, you are hereby notified that any use, dissemination,
copying, or storage of this message or its attachments is strictly
prohibited.

RBCSecureMessage.doc
44K

Attached is a file RBCSecureMessage.doc which contains some sort of macro-based malware. It displays the following page to entice victims to disable their security settings.

Automated analysis is inconclusive [1][2]. The domain rbc-secure-message.com is fake and has been registered solely for this purpose of malware distribution. In all the samples I saw, the sending IP was 64.91.248.146 (Liquidweb, US) but it does look like all these IPs in the neighbourhood are involved in the same activity:

64.91.248.13764.91.248.14664.91.248.14864.91.248.150

I recommend you block 64.91.248.128/27 at your email gateway to be sure.

Your order has been placed and items in
stock will be sent to the address shown below. Please check all the details
of the order to ensure they are correct as we will be unable to make changes
once the order has been processed. You will have been notified at the point
of order if an item is out of stock already with expected delivery date.

Delivery
Address[address redacted][telephone number redacted]

Delivery Method:
Standard Delivery

Your Order Information
Prices include VAT at 20%

Customer Service Feedback
We are always working to improve the products and service we provide to our
customers - we do this through a continual review of the product range, and
ongoing training of our Customer Service Team. We continually strive to
improve our levels of service and we welcome feedback from our customers
regarding your buying experience and the product you receive.

Feefo Independent Reviews
21 days after your purchase, you will receive an email from the independent
feedback company Feefo. It takes less than a minute to complete and we'd
really appreciate your feedback!

IMPORTANT INFORMATION ABOUT YOUR ORDER

Delivery

Order Tracking
Once your order has left our warehouse we will email you to confirm that the
items have been shipped and include tracking details of the parcel so that
you may track delivery progress directly with our courier company.

Stock Availability
On very rare occasions not every item will be available when we come to pack
and despatch your order. If this is the case you will receive an email from
us letting you know which items are affected and an expected delivery time.

Product Returns
All items purchased are covered by our customer friendly returns policy.
Please visit for full details.
Thank you for placing your order with us. We really appreciate your custom
and will do everything within our power to ensure you get the very best of
service.

The data in the spam was identifiable as being a few years old. The intended victim does not appear on the haveibeenpwned.com database. My assumption is that this information has been harvested from an undisclosed data breach.

I was not able to extract the final payload, however the infection path is as follows:

I couldn't get a response from the server at cristianinho.com [5.152.199.228 - Redstation, UK], this looks like a possibly legitimate but hijacked domain that uses nameservers belonging to Namecheap. But that's not the only Namecheap connection, because the two "customer" subdomains are also using Namecheap hosting (for the record the subdomains are hosted on - 185.130.207.37 and 185.141.165.204 which is Host1Plus, UK / Digital Energy Technologies, DE).

Three connection to Namecheap is worrying, and certainly we've seen hijacking patterns involving other domain registrars. Or it could just be a coincidence..

The email originated from mx119.argozelo.info on 188.214.88.119 (Hzone, Romania). Just on a hunch, I checked the domain argozelo.info and it appears to be a wholly legitimate site about a Portuguese village, registered at GoDaddy hosted on Blogger. So why does it need a dedicated mail server?

Well.. this particular rabbit hole goes a little deeper. mx119 gives a clue that there might be more than one mailsever, and indeed there are 34 of the critters name mx110.argozelo.info through to mx143.argozelo.info hosted on 188.214.88.110 through 188.214.88.142. But according to Wikipedia, Argozelo only has about 700 inhabitants, so it seems unlikely that they'd need 34 mailservers in Romania.

So, my guess is that argozelo.info has also been hijacked, and hostnames set up for each of the mailservers. But we're not quite finished with this rabbit hole yet. Oh no.

What caught my eye was a mailserver on 188.214.88.110 (the same as mx110.argozelo.info) named mail.localpoolrepair.com which certainly rang a bell because the email was apparently fromcustomer@localpoolrepair.com - yeah, OK.. the "From" in an email can be anything but this can't be a coincidence.

localpoolrepair.com appears to be a legitimate but unused GoDaddy-registered domain, hosted at an Athenix facility in the US. So why is there a mailserver in a Romanian IP block? A DIG at the records for this domain are revealing:

So.. the SPF records are valid for sending servers in the 188.214.88.110 through 188.214.88.142 range. It looks to me as if localpoolrepair.com has been hijacked and these SPF records added to it.

So we have hijacked legitimate domains with presumably a neutral or good reputation, and we have valid SPF records. This means that the spam will have decent deliverability. And then the spam itself addresses the victim by name and has personal details presumably stolen in a data breach. Could you trust yourself not to click the link?

Monday, 23 January 2017

For the past six years I have been following the exploits of Patchree "Patty" Patchrint and Anthony Christopher Jones who claim to run a series of seminars on project management and grant writing. Umm.. and failed restaurants in Los Angeles. I'm not going to repeat all of the information in this post, I advise you to read the whole story.

This latest scheme is a quite snazzy-looking website at www.pmacademyusa.org called "Project Management Academy USA".

The website may look professional, but it is simply done using the WIX website builder:

You'll notice that the site supplies no information at all about who runs it. However a useful tip alerted me to the site, which is basically a more glitzy version of the Institute of Project Management America from a few years back, including this lazy example of copypasta:

About Project Management Academy USAAt Project Management Academy USA, our programs are led by practitioners-working professionals who are experts in the process of maximizing results using professional project management practices. Modern industry needs results driven professionals who are focused on a disciplined dedication to effective project management from initiation to closing. We strive to combine real-world scenarios, actual case-studies, with the knowledge provided by PMI and academic foundations to create certified project managers who are prepared for further certification and credential. Our programs are ultra-foundational, meaning they ensure attainment of the universal basics of project management, prepare participants for certification exams, and provide the advantage of our mastery components, which are unique to our programs and are followed by a Masters designation.

They currently advertise courses running in the following locations:

January 17-20, 2017University of Southern California8:00am to 5:00pm

February 21-24, 2017University of Miami8:00am to 5:00pm

February 28 - March 3, 2017University of Texas at Austin8:00am to 5:00pm

March 21-24, 2017University of California Berkeley8:00am to 5:00pm

March 28-31, 2017University of Chicago8:00am to 5:00pm

Funnily enough, the venue seems to be changed at the last minute from the prestigious university it was advertised at to some other location in the rough vicinity. And also, at the last moment the person who was meant to be teaching the course is substituted at the last moment for someone who has to fill in and mysteriously seems to have problems getting paid (if this is you then please add a comment below).

If you have doubts about the quality of these causes, I urge you to read the posts and especially the comments that go with them. Those are not my words, but the words of the people unfortunate enough to either pay for a course or who turn up to teach.

All the servers have names like kvm42.chapelnash.com in a network block controlled by Reg.ru in Russia.

The link in the email goes to some hacked WordPress site or other, then ends up on a subdomain of uk-insolvencydirect.com e.g. 2vo4.uk-insolvencydirect.com/sending_data/in_cgi/bbwp/cases/Inquiry.php - this is a pretty convincing looking page spoofing the UK government, asking for a CAPTCHA to download the files:

Hybrid Analysis of the script is rather interesting, not least because it performs NSLOOKUPs against OpenDNS servers (which is a really weird thing to do give that OpenDNS is a security tool).

The script downloads a component from www.studiolegaleabbruzzese.com/wp-content/plugins/urxwhbnw3ez/flight_4832.pdf and then drops an EXE with an MD5 of e403129a69b5dcfff95362738ce8f241 and a detection rate of 5/53.

Narrowing the Hybrid Analysis down to just the dropped EXE, we can see these peculiar OpenDNS requests as the malware tries to reach out to:

We have to inform you that a problem occured when processing your last payment (code: 3132224-M, $789.$63).The receipt is in the attachment. Please study it and contact us.

-King Regards,Juliet Langley

The name of the sender will vary, as will the reference number and dollar amounts. Attached is a ZIP file with a name somewhat matching the reference (e.g. MPay3132224.zip) containing in turn a malicious Javascript with a name similar to ~_AB1C2D_~.js.

My trusted source says that the scripts download a component from one of the following locations:

Dear [redacted],The amount payable has come to $38.29. All details are in the attachment.Please open the file when possible.

-Best Regards,Lynn Drake

The name of the sender will vary, although the dollar amount seems consistent in all the samples I have seen. Attached is a file with a name similar to doc_6937209.zip which contains an apparently randomly-named script in a format similar to ~_ZJR8WZ_~.js. The highly obfuscated script of one sample can be seen here. Typical detection rates for the script are around 16/54.

There are many different scripts, downloading a component from one of the following locations (thanks to my usual reliable source):

According to this Malwr analysis, a DLL is dropped with a detection rate of 18/55. This Hybrid Analysis shows the Locky infection clearly and identifies some C2s, combining this with another source gives the following list of C2 servers:

The spam appears to come from a sender within the victim's own domain, but this is just a simple forgery. The attachment name is a .DOCM file matching the name in the subject. Automated analysis [1][2] indicates that it works in a similar way to this other Locky ransomware run today.

The name of the sender varies, as does the fake invoice number. Attached is a .DOCM file with a filename matching that invoice number. Typical detection rates for the DOCM file are 13/56.

Automated analysis of a couple of these files [1][2][3][4] show the macro downloading a component from miel-maroc.com/874ghv3 (there are probably many more locations). A DLL is dropped with a current detection rate of 11/57.

All those analyses indicate that this is Locky ransomware (Osiris variant), phoning home to:

Hey [redacted], it is Herman. You've asked me to order new firewall software for our office computers.Done and ready. Here, in the attachment, is the full invoice of the software counteragent.

Please check it out.

--King Regards,Herman MiddletonIT Support Manager

Attached is a ZIP file with a name like f_license_5330349.zip which contains a randomly named .js script which is very highly obfuscated.

The Hybrid Analysis and Malwr report show that the script analysed downloads a component from welte.pl/mupze (there will probably be dozens of other locations) and appears to drop a DLL with a detection rate of 4/56. That Hybrid Analysis also detections C2 traffic to:

The link in the email actually goes to a URL vantaiduonganh.vn/api/get.php?id= plus a Base 64 encoded part of the URL (e.g. aGVscGRlc2tAZmJpLmdvdg==) and it downloads a Word document with the recipients email address included in it. This type of malware is typically seen using hacked but legitimate Vietnamese sites for this stage in the infection chain.

This DOC file contains a malicious macro, the Malwr report indicates that it downloads components from:

This spam comes in a few different variants, and it leads to Locky ransomware encrypting files with an extension ".osiris"

The more word version comes from random senders with a subject like _9376_924272 or some other randomly-numbered sequence. Attacked to that is an XLS file of the same name and it includes this body text:

Your message is ready to be sent with the following file or linkattachments:

The original message was not completely plain text, and may be unsafe toopen with some email clients; in particular, it may contain a virus,or confirm that your address can receive spam. If you wish to viewit, it may be safer to save it to a file and open it with an editor.

Dear webmaster : There is a message for you from 01435773591, on 2016/11/25 18:29:39 .You might want to check it when you get a chance.Thanks!

The number in the message will vary, but is consistent throughout. Attached is a ZIP file referencing the same number, e.g. Message_from_01435773591.wav.zip which contains a malicious Javascript that looks like this.

This Malwr analysis shows behaviour consistent with Locky ransomware. My usual source tells me that all the download locations for this campaign are: